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L Introductions and apologies 


1.1. There were apologies from Christopher Graham and 
Louise Byers at the ICO, from James Edmands at the NAO 
and from David Eagles at BDO. 


2. Declaration of interests 


2.1. It was noted that Roger Barlow, Heather Dove and Neil 
Bostock, who were attending this meeting, had all been 
subject to the data breach which was to be discussed later in 
the meeting. 


3. Action points from the Audit Committee meeting of the 
7 September 2015 


3.1. The minutes of the last meeting had been agreed in 
correspondence. They were presented here for information. 


3.2: The only action point outstanding from the last meeting 
was to agree a deadline for revision of the Framework 
Agreement with the Department for Culture, Media and Sport 
(DCMS). The ICO had an amended version with minor 
changes made ready to go, but there was a need to reflect 
both DCMS and government spending controls and possible 
changes to the end of year cash hand back rules. 


3.3. Discussion on the latter was ongoing and as soon as a 
form of words for this was agreed the expectation was that 
the Framework Agreement itself would be finalised fairly 
quickly. In effect the current rules used for calculating year 
end cash-back made it difficult to forecast the amount, and 
was based on cash accounting. The ICO wished to move to an 
accruals based system. 


3.4. It was not thought a problem that the ICO was currently 
working to an out of date Framework Agreement. There 
would always be a transition period. The provisions of the 
updated agreement would primarily come into force for the 
2016/17 year. 


4. Deputy Commissioner and Head of Finance Update 


4.1. Simon Entwisle provided an update on issues affecting 
the ICO. 
4.2. The DCMS had agreed grant in aid payments for 


freedom of information covering the next three years, and 
had agreed capital limits which were flexible and met the 
operational needs of the ICO. 


4.3. In respect of registration fee income the ICO was 
working on changes to the fee structure including increasing 
compliance with payment of the fee, targeting higher fees at 
those organisations which process more personal data, and 
was also considering ways of adjusting fee levels to better 


match the financial needs of the ICO (a rolling fee structure). 
Any changes made would also have to reflect the new EU 
Regulation on data protection when it comes into force. 


4.4. Simon Entwisle confirmed that Christopher Graham's 
last day in post as the Information Commissioner would be 
the 28 June and as such the aim was to lay and launch the 
ICO Annual Report and Accounts by then if at all possible. 
The timetable was to be discussed later in the meeting. 


4.5. Operationally the ICO had seen more freedom of 
information cases cleared in November. There had been 
concerns that clearances had failed to keep up with numbers 
of new cases being received. 


4.6. The new Senior Management Team (SMT), which had 
been set up following the recent departure of the two Deputy 
Commissioners, was considered to be working well. Agendas 
were full and SMT presented an opportunity to ensure that 
governance issues were covered properly. For example the 
Finance Steering Group reported monthly to SMT which 
meant that a wider group of managers were involved in, and 
made aware of, financial decisions. 


4.7. Heather Dove reported that the purchase management 
system was up and running. It provided more control on 
purchasing decisions but it did represent a change in the way 
the ICO worked. The need for more training and (possibly) 
for information sessions had been identified. 


4.8. Heather Dove also reported on the recruitment of a 
Management Accountant who was starting on 5 January to 
support the Head of Finance. In addition an interim Head of 
Finance was currently being recruited to work three days a 
week to cover for maternity leave. It was hoped both 
positions would be filled by January to allow Heather a hand 
over period of at least a month before the start of her leave. 


4.9. The October accounts were presented for information. 
The general financial position was as forecast and the slight 
drop in registration fee income (1%) was not thought 
significant. 


4.10. Discussions with DCMS on financial reporting were going 
well; in particular in respect of capital budgets as mentioned 
above. Capital expenditure would be notionally classified as 
data protection so the ICO would have the ability to decide on 
the capital/revenue split. DCMS have asked for a 5 year 
forecast. The direction of the |CO’s IT strategy, in reducing 
the need for capital expenditure, was noted, and the ICO 
would have to consider carefully its capital forecasting. 


4.11. It was also reported that the budget for 2016/17 was 
almost finalised and would go to DCMS before Christmas 
along with the draft ICO Plan 2016-2019. The ICO was 
forecasting a surplus for 2016/17. 


. Risk Management 


5.1. Peter Bloomfield introduced an updated risk register 
which reflected recent changes, such as the move to the 
DCMS. Given this move and various other decisions which 
had now been made, there was a need for a more 
fundamental update to the risk register. This would be taken 
forward shortly. 


5.2. The Committee noted that how the ICO dealt with 
nuisance telephone calls needed to be considered a risk area. 
Simon Entwisle provided an update on recent initiatives 
aimed at tackling nuisance telephone calls. 


5.3. The delay in publication of the triennial review was also 
discussed. Not withstanding this delay, the recruitment 
exercise for the next Commissioner had begun. The ICO did 
need to consider the possibility of a delay in the next 
Commissioner taking up their post. 


. Outstanding Audit Recommendations 


6.1. Delayed actions on audit recommendations, both 
internal and external, were highlighted. Work on confirming 
IT assets might be delayed but the intention was for the new 
Management Accountant to take this action forward once 
they were in place. 


. Internal audit 


7.1. Grant Thornton presented two audit reports; one on ICO 
performance management and the other on the new finance 
system and benefits realisation. 


TZ) They had identified three amber recommendations 
relating to managers’ guidance, Learning and Development 
records on discussions that take place, and on information for 
SMT on the effectiveness of the process. 


7.3. The performance development review (PDR) process 
had recently been simplified and was aimed at identifying 
those who were not performing. It was based on three 
questions for the member of staff: 


7.3.1. How am | doing? 
7.3.2. What can we do to improve? and 
7.3.3. What more can | do to develop? 


7.4. The background behind the change to the PDR process 
was explained. Given the ongoing 1% pay cap and the 
consequent difficulty in providing meaningful performance 
pay, the focus was now on identifying and acting on poor 
performance rather than identifying good performance. Good 
performance was being recognised more now by managers 
and the promotion opportunities that were available at 
certain levels within the ICO. 


7.9: The Committee welcomed the changes to the PDR 
process but expressed a more general concern about whether 
the resources and skills available in the ICO were adequate to 
manage this sort of change and other people issues. Simon 
Entwisle advised that there had been some recent changes in 
the Organisational Development Team and that a People 
Strategy was being developed. 


Action point 1: Simon Entwisle to advise non-executive 
Directors on the People Strategy when it was finalised. 


7.6. In respect of the new finance system this review had 
looked at whether the project had delivered the benefits 
identified. An overall green assessment had been given; the 
system was delivering the benefits. However, there had been 
no formal Project Initiation Document agreed so project 
deliverables did not fully align with the final identified 
benefits. This was reflected in the one medium 
recommendation made. 


7.7. Finally Grant Thornton provided a summary report on 
progress against the internal audit plan. Most of the reviews 
had been completed. The review of core financial controls 
would be discussed with the Head of Finance after the 
meeting and the follow up review would be taken forward 
with Corporate Governance. In respect of planning audits for 
next year, representatives from Grant Thornton would meet 
with SMT to discuss internal audit and the areas managers 
wanted to focus on, using the audit areas identified last year 
but put off as possible audits for 2016/17 as a starter. 


8. External Audit 


8.1. BDO introduced the audit planning report. They had 
already met with Heather Dove and Peter Bloomfield and 


agreed the timetable which included an early J anuary visit 
whilst Heather was still at the ICO. 


8.2. In respect of the audit timetable this linked with 
discussion on the timetable for development of the Annual 
Report and Accounts. It was not possible for the Audit 
Committee meeting scheduled for early J une (at which the 
Annual Report and Accounts would be signed off) to be 
moved forward as there had to be time to prepare and audit 
the accounts. This did mean the schedule for designing, 
printing and laying the document would be tight. 


8.3. Actions to mitigate against the risks were discussed. A 
template had already been developed, and those involved 
(designers, printers and those providing information) would 
be approached early to ensure a full understanding of the 
timescales and what was required. 


8.4. One area which historically had been problematic was 
pension information needed for remuneration reports. This 
would be focused on. 


8.5. Unfortunately Ailsa Beaton was unable to attend the 
June meeting and it was agreed that an opportunity should 
be provided for Ailsa to input at an earlier stage, on the 2 
June. 


Action point 2: Peter Bloomfield to re-visit the plan for 
developing the Annual Report and Accounts, building in 
the early discussion with Ailsa Beaton and contacts 
with those involved. 


8.6. Finally there was discussion on the NAO/BDO audit fee. 
Last year the fee had been increased by £2.5k because of the 
additional work identified at the time due to the move to the 
new finance system in particular. This had been described as 
a one off increase, but the proposed fee for this year also 
included a £2.5k increase arising from further risks identified. 
The Committee accept the increase for this year given the 
changes. But it still had concerns about the level of charges 
compared to commercial audit firms and flagged that the 
Committee would like to re-visit fees next year. 


9. Annual Report and Accounts 


9.1. It was confirmed that this agenda item had been 
covered by agenda item eight. 


10. 
10.1. The Committee discussed the recent data breach 


1L 


Fraud, whistleblowing and security incidents 


involving ICO payroll information. Access to ICO records had 
been provided to a HR professional in another organisation 
who had immediately realised they should not have had 
access. Twenty eight employees had been affected and had 
been advised by letter personally about the breach and the 
extent of the breach. 


10.2. Simon Entwisle confirmed that it had handled the issue 


as it would have done if it had happened to an external body. 
It had been investigated by the internal compliance team and 
Enforcement Team. The ICO understood how the issue had 
occurred and were satisfied with the steps the payroll 
provider was taking in consequence. 


10.3. The Committee asked whether those affected had been 


reassured by the steps the ICO had taken. Simon Entwisle 
thought they had; there had been one question from a 
member of staff. And feedback from those attending the 
Committee was that they too had been reassured. 


10.4. The Committee asked whether, if bank details had been 


made available, the ICO would have allowed staff to make 
credit checks. Simon stated that this would be considered 
depending on the circumstances. 


Any other urgent business 


11.1. It was asked whether the ICO would be look at 


offsetting recovery costs against Civil Monetary Penalties 
(CMPs) again now sponsorship responsibility had moved to 
DCMS. This was being looked at. 


Action point 3: Heather Dove to report back to the next 
Audit Committee on progress in looking at recovering 
costs from CMPs in respect of breaches under the PECR 
and whether this could influence decisions on the 
overall CMP recovery policy. 


